Under the CFAA, “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”[1] To utilize this provision in the context of trade secret misappropriation a plaintiff must satisfy the many requirements of section 1030(g).

First, a plaintiff must allege that the defendant committed one of the seven listed offenses.[2] Four of these offenses involve conduct most likely to be associated with trade secret misappropriation or other information theft.[3] Section 1030(a)(2) makes it a crime to “intentionally accesses a computer without authorization or exceed authorized access” to “obtain . . . information from a protected computer.” Section 1030(a)(3) prohibits an individual from knowingly and intentionally attempting to defraud and obtain anything valuable from a computer by accessing it without authorization or by exceeding authorization. Sections 1030(a)(5)(B) and 1030(a)(5)(C) bar an individual from either recklessly causing damage or causing damage and loss, as a result of accessing a computer without authorization. After claiming the defendant has engaged in one or more of the above offenses, the plaintiff “may maintain a civil action against the violator . . . if the [violator’s] conduct involves . . . loss to one or more persons during any 1-year period aggregating at least $5,000 in value,” provided “such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.” [4]

Since the CFAA’s adoption, criminal and civil courts alike have struggled to consistently articulate and apply several important terms in the statute. Most notably, circuit splits exist concerning the meaning of authorized access versus exceeding authorized access. Additionally, it is not clear what injuries under the statue qualify as compensable “loss” and “damages.”

Access: When is it authorized and when does it exceed authorization?

Each of the four offenses related to trade secret misappropriation requires that the offender access a computer without authorization or in a way that exceeds authorization.[5] As defined in the statute, an individual “exceeds authorized access” when he or she “access[es] a computer with authorization and [uses] such access to obtain or alter information in the computer that [he or she] is not entitled . . . to obtain or alter.”[6] Problematically, this definition turns on the elusive meaning of the term “authorization,” which Congress did not define. The issue is whether “authorization” pertains to authorized use of information or authorized access of information.

Some courts hold that authorization is determined by how information is used

Several courts have used an agency theory to find that an individual’s access to information is unauthorized whenever the use of the accessed information is contrary to purpose for which the individual was initially granted access to the information.[7]

The Seventh Circuit has held that where a departing employee breaches his duty of loyalty to his company “his authority to access” his company computer is terminated “because the only basis of his authority had been that relationship.”[8] In International Airport Centers, L.L.C. v. Citrin, a real estate business employed the defendant, Citrin, to identify and help acquire prospective properties for the business.[9] The company “lent Citrin a laptop to use to record data that he collected in the course of his work in identifying potential acquisition targets.”[10] Eventually Citrin decided to quit and go into business for himself, in breach of his employment contract.[11] Before returning his laptop Citrin deleted all the information from his company laptop using special software designed to make impossible any efforts to recover the deleted information.[12] In doing so, Citrin not only deleted all of his previous work for the company but perhaps more importantly, made it impossible for his employers to determine whether he engaged in any improper conduct, such as trade secret misappropriation, before he quit.[13] Judge Posner, writing for the majority, that when it passed the CFAA, Congress was concerned with both external threats, individuals who hack into a computer system from the outside, as well as internal threats, individuals who improperly exploit their authorized access to a computer system.[14] In this case, Citrin’s “authorization to access the laptop terminated when . . . he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.”[15]

This interpretation of “authorization,” is also known as the “disloyal mind” approach, and has been implicitly adopted by the First, Fifth, and Eleventh Circuits.

Other courts hold that authorization is determined by how information is accessed

The Fourth and Ninth Circuits have noted that as an anti-hacking law, the CFAA is not concerned with how an individual uses information, but only whether the individual was authorized to access the information at the time he or she accessed it.[16]

According to the Ninth Circuit, the phrase “exceeds authorized access” should be construed narrowly, and applies only to “violations of restrictions on access to information, and not restrictions on its use.” In Nosal, a former employee of an executive search firm recruited some of his former colleagues who were still working at the firm to use their log-in credentials to access and download sensitive and confidential information from the firm’s computer database. The employees were authorized to access the information, but violated firm policy when they disseminated the confidential information to Nosal. The government charged Nosal with twenty counts, including violations of CFAA § 1030(a)(4), “for aiding and abetting the [former] employees in ‘exceed[ing their] authorized access’ with intent to defraud.” The Ninth Circuit upheld the district court’s dismissal of the CFAA claims, and held that because Nosal’s accomplices had permission to access the company database and its confidential information, Nosal had not “exceed[ed] authorized access” under 18 U.S.C. § 1030(a)(4). In reaching its decision, the court acknowledged that the government’s argument, making authorization dependent on an individual’s use of the information, was in line the opinions of several other circuits.[17] The Ninth Circuit, however, disagreed with this interpretation because it feared that if the meaning of authorized conduct focused on use rather than access it “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.”[18] If Congress intended such an expansion, the court explained, it was up to Congress to clarify the statute.[19] Writing for the majority, Chief Judge Kozinski described in expansive detail the practical problems that might arise if the CFAA were given such a broad interpretation.

For example, it’s not widely known that, up until very recently, Google forbade minors from using its services. Adopting the government’s interpretation would turn vast numbers of teens and pre-teens into juvenile delinquents—and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.[20]

A broad interpretation of the statute would thus subject a wide range of citizens to an uncertain degree of criminal liability, and would also violate the rule of lenity, a substantive statutory interpretation cannon. Under the rule of lenity, the meaning of an ambiguous criminal statute should be resolved in favor of the defendant. “The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.”[21]

Judge Kozinski then dismissed the Government’s argument that it would not use the CFAA to “prosecute minor violations,” citing the United State’s Supreme Court decision in United States v. Stevens, which stated the Court “would not uphold an unconstitutional statute merely because the Government promised to use it responsibly.”[22] In support of his skepticism, Judge Kozinski described U.S. v. Drew, a well publicized case where a jury found a mother guilty of a misdemeanor under CFAA section 1030(a)(2)(C), because she violated the social network site MySpace’s terms of service when she “posed as a 17–year–old boy and cyber-bullied her daughter’s classmate.”[23]

The Ninth Circuit concluded its opinion by affirming the Northern District’s dismissal of all CFAA claims dealing with instances where Nosal himself logged into his former employer’s computer system.[24] The court did not address three additional CFAA claims, which Nosal had not included in his original motion to dismiss.[25] After the case was returned to the Northern District, Nosal filed a motion to dismiss the remaining CFAA claims for failure to state an offense, which the court denied.[26] The remaining counts involved two slightly different means by which Nosal accessed his former employer’s computer database.[27] Two of the counts alleged that Nosal accessed the database after logging-in with a current employee’s log-in credentials.[28] The third count alleged that Nosal had accessed the database when he was with a current employee, who logged into the system using her credentials, then let Nosal use her computer.[29] The District Court explained that the Ninth Circuit’s holding was limited to instances where the access at issue was permitted by the company at the time it occurred.[30] These remaining claims, however, alleged conduct where Nosal was not permitted to access the company’s computers, but did so anyway with the help of current employees.[31] In the District Court’s view, if the CFAA did not “apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA could be rendered toothless.”[32]

Loss and Damages

In a trade secret case a plaintiff can recover injunctive relief, as well as monetary damages covering “both the actual loss caused by misappropriation and the unjust enrichment caused by misappropriation that is not taken into account in computing actual loss.”^[33] Actual loss generally relates to lost profits a business attributes to the misappropriation of its trade secrets, while unjust enrichment concerns any earnings the guilty party made as a direct result of its misappropriation of the victim’s trade secret.^[34] Today most trade secrets are maintained on computer systems, which means that in many cases of trade secret misappropriation the CFAA may be implicated as well. While violation of the CFAA entitles a plaintiff to compensatory, injunctive, and other equitable relief, it is unclear to what extent such remedies can be applied to trade secret misappropriation cases. This uncertainty is generated by disputes over the meaning of the terms “damages” and “loss.”

Damages

The statute defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.”^[35] Courts have disagreed, however, as to whether an employer’s loss of the exclusive use or control of confidential information that results from trade secret misappropriation, satisfies the CFAA’s definition of damage.

The District Court for the Northern District of Illinois, for example, has held that “‘trade secrets misappropriated through unauthorized computer access [do] not qualify as damage under the CFAA’s definition of the term.’”^[36] In that case, a company specializing in electronic latching systems, Triteq, brought CFAA claims against a former employee and his new employer.^[37] TriTeq claimed that the former had “‘recklessly caused damage’” sufficient to meet the requirement under section 1030(a)(5)(B).^[38] The court noted that several courts had concluded that “damage” for CFAA purposes “refers to ‘the destruction, corruption, or deletion of electronic files, the physical destruction of a hard drive, or any ‘diminution in the completeness or usability of the data on a computer system.’”^[39] In this case, however, the only harm Triteq alleged was that its former employer had “obtained and caused the transmission of TriTeq’s trade secrets and confidential information.”^[40] According to the court, these alleged harms did not constitute damage under the CFAA.^[41]

This interpretation is in direct opposition with the District Court for the Eastern District of Pennsylvania, which found that for purposes of the CFAA, the loss of confidential company information constituted damage to the plaintiff’s computer database.[42] In HUB Group, Inc. v. Clancy, a departing employee sent email attachments to his wife that contained his current employer’s confidential pricing and customer information.[43] The employer, HUB Group, brought a CFAA claim, arguing that its “computer database was damaged through Clancy’s unauthorized access to [its] confidential information.”[44] Citing a litany of similar holdings from district courts across the country, the court found that these damages were “of the type covered under the Act.”[45] In reaching this conclusion, the court employed a use theory to find that although Clancy was authorized to access the pricing and customer information at the time he sent the emails, he was not authorized to email the information to his wife so that he could use the information at his new job.[46] Most interesting, however, is the breadth gave the CFAA damage requirement. In its findings of fact, the court concluded that there was “uncontroverted evidence that Clancy did not actually use the information he emailed from his HUB computer to his wife’s email account.”[47] Additionally, the court cast doubt on the value of the pricing information, noting that prices fluctuated rapidly, and was readily available from public sources.[48] The idea that the misappropriation of trade secrets qualifies as damage to a computer is controversial enough, but how can a computer be damaged when the information taken is not particularly valuable, and was not even used? As noted above, several courts have interpreted the CFAA with similar breadth in application.

Loss

To bring a civil suit for trade secret misappropriation under the CFAA, the defendant’s alleged conduct must have caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.”[49]

[T]he term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.[50]

Courts disagree whether this definition encompasses lost profits and decreased trade secret value associated with the misappropriation of a trade secret. It is also unsettled whether the costs of investigating and responding to trade secret misappropriation constitute loss under the CFAA.

The District Court for the District of Nebraska, for example, has interpreted “loss” broadly to encompass lost profits caused by the misappropriation of trade secrets.[51] In Ervin & Smith Advertising & Public Relations, Inc. v. Ervin, an advertising, marketing, and public relations firm sued two former officers of the firm who had resigned and started a competing business.[52] The plaintiff alleged that the defendants violated the CFAA when, in the months before they left the company, they “e-mailed confidential, trade secret, and copyrighted documents to their home computers in order to use the information for their own personal gain.”[53] First, following Citrin, the court found that the defendants exceeded their “authorized access” when they allegedly violated the confidentiality agreement in their employment contracts and allegedly appropriated Plaintiff’s secret information for their own private benefit.[54] Next the court quoted from a First Circuit opinion, EF Cultural Travel BV v. Explorica, Inc., where the court explained that it “‘would flout Congress’s intent’” if the court were to restrict CFAA losses to those associated with physical damage to a computer system.[55]

As we move into an increasingly electronic world, the instances of physical damage will likely be fewer while the value to the victim of what has been stolen and the victim’s costs in shoring up its security features undoubtedly will loom ever-larger. If we were to restrict the statute as [Defendants] urge, we would flout Congress’s intent by effectively permitting the CFAA to languish in the twentieth century, as violators of the Act move into the twenty-first century and beyond.[56]

This case is an example of an extraordinarily broad application of the CFAA. The defendants’ access to the information was unauthorized not because they were not permitted to access the information, but because their intended use of the information was “disloyal.” Additionally, despite a complete absence of any textual justification, the court found that Congress must have intended that profits lost due to the misappropriation of trade secrets, represented compensable loss under the CFAA.

---

[1] 18 U.S.C § 1030(g).

[2] 18 U.S.C § 1030(g) (the seven offenses are listed in section 1030(a)).

[3] Two other provisions may possibly relate to a trade secret dispute but do their narrow applicability and absence in the case law, this post focuses only on the four elements that are repeatedly found in practice. Section 1030(a)(2)(A) deals with financial information and financial institutions, while section 1030(a)(5)(A) concerns the transmission of information that causes damages to a computer system.

[4] 18 U.S.C § 1030(g); 18 U.S.C § 1030(c)(4)(A)(i)(I). Non-trade secret related activities that can trigger a claim under section 1030(g) include “(I) loss to 1 or more persons during any 1-year period… aggregating at least $5,000 in value; (II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (III) physical injury to any person; (IV) a threat to public health or safety; [or] (V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security.” Id. (c)(4)(A)(i)(I)-(V).

[5] 18 U.S.C § 1030(a)(2, 3, 5).

[6] 18 U.S.C § 1030(e)(6).

[7] See Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D.Wash.2000).

[8] Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006).

[9]Id. at 419.

[10]Id.

[11]Id.

[12]Id.

[13]Id.

[14]Id. at 420.

[15]Id. at 420 (citing United States v. Galindo, 871 F.2d 99, 101 (9th Cir.1989); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124-25 (W.D.Wash.2000); see Restatement (Second) of Agency §§ 112, 387 (1958)).

[16] WEC Caroline Energy Solutions LLC v. Miller, No. 11-1201, (4th Cir. 2012).

[17]United States v. Nosal, 676 F.3d 854, 862 (9th Cir. 2012) (“These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of ‘exceeds authorized access.’”)

[18]Id. at 857.

[19]Id. at 863.

[20]Id. at 861 (citations omitted).

[21]Id. at 863.

[22]Id. at 862 (citing United States v. Stevens 559 U.S. 460 (2010).

[23] The MySpace terms of service barred lying about identifying information including age. The violation came to light and the prosecution began after the cyber-bullied classmate committed suicide. The court vacated the conviction. United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).

[24]Id. at 864.

[25]United States v. Nosal, CR-08-0237 EMC, 2013 WL 978226 *4 (N.D. Cal. Mar. 12, 2013).

[26]Id.

[27]Id. at *3.

[28]Id.

[29]Id.

[30]Id. at *4.

[31]Id. at *9.

[32]Id. at *9.

[33] U.T.S.A. § 1.4; Unjust enrichment is “a benefit obtained from another, not intended as a gift and not legally justifiable, for which the beneficiary must make restitution or recompense.” Blacks Law Dictionary 748 (3d Pocket ed. 2006).

[34] See generally Morlife, Inc. v. Perry, 56 Cal. App. 4th 1514, 1528, 66 Cal. Rptr. 2d 731 (1997).

[35] 18 U.S.C § 1030(e)(8).

[36] TriTeq Lock & Security LLC v. Innovative Secured Solutions, LLC, Civil Action No. 10 CV 1304, 2012 BL 296156 (N.D. Ill. Feb. 01, 2012) (quoting Cassetica Software, Inc. v. Computer Sciences Corp., Case No. 09 C 0003., 2009 BL 130926, 2009 ILRC 2093 (N.D. Ill. June 18, 2009).

[37] The claims were brought “under 1030(g) for violating § 1030(a)(2), (a)(4), and (a)(5)(A)-(C) based upon conduct involving ‘loss to 1 or more persons during any 1-year period … aggregating at least $5,000 in value.’” TriTeq Lock & Security LLC v. Innovative Secured Solutions, LLC, Civil Action No. 10 CV 1304, 2012 BL 296156 (N.D. Ill. Feb. 01, 2012)

[38] 1030(a)(5)(B) liability attaches to “[w]hoever . . . intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage.”

[39] TriTeq Lock & Security LLC v. Innovative Secured Solutions, LLC, Civil Action No. 10 CV 1304, 2012 BL 296156 (N.D. Ill. Feb. 01, 2012) (citing Farmers Ins. Exch. v. Auto Club Group, 823 F. Supp. 2d 847, 852 (N.D. Ill. 2011) (quoting Cassetica Software. Inc. v. Computer Scis. Corp., No. 09 C 0003, 2009 WL 1703015, at *3 (N.D. 111. June 18, 2009).

[40] TriTeq Lock & Security LLC v. Innovative Secured Solutions, LLC, Civil Action No. 10 CV 1304, 2012 BL 296156 (N.D. Ill. Feb. 01, 2012).

[41]Id.

[42] HUB Group, Inc. v. Clancy, 2006 WL 208684, *2-4 (E.D. Pa. Jan.25, 2006)

[43]Id.

[44]Id.

[45]Id.

[46]Id.

[47]HUB Group, Inc. v. Clancy, CIV.A. 05-2046, 2006 WL 208684 (E.D. Pa. Jan. 25, 2006).

[48]Id.

[49] 18 U.S.C § 1030(c)(4)(i)(I).

[50] 18 U.S.C § 1030(e)(11).

[51] Ervin & Smith Adver. & Pub. Relations, Inc. v. Ervin, 8:08CV459, 2009 WL 249998 (D. Neb. Feb. 3, 2009).

[52]Id.

[53]Id.

[54]Id.

[55]Id. (quoting EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 585 (1st Cir.2001)).

[56]EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 585 (1st Cir. 2001). Importantly, EF Cultural Travel BV was decided before the CFAA contained a definition of the term “loss.” Congress added the current definition in a 2001 amendment to the law.